CODEWITHSUNDEEP
javascriptmongodbmeteor
redress
redress

Reputation: 1439

Meteor user property undefined

Users waitOn a data subscription:

waitOn: function(){
    if(Meteor.user()){
        var current_user_admin_status = Meteor.user().admin;
        console.log(current_user_admin_status);
        return Meteor.subscribe('users', current_user_admin_status);
    }
}

But current_user_admin_status always returns null, even though I can go into the db and find the admin field

db.users.find({"_id" : "6Mqx5Ky92bZfhaX8A"}, {"admin" : 1})

{ "_id" : "6Mqx5Ky92bZfhaX8A", "admin" : true }

Im defining this variable on the client, to pass to the server to only publish user collection if current user is an admin, but it keeps getting caught on the null if else statement

Meteor.publish('users', function(current_user_admin_status){
    if(!this.userId){
        console.log('you are not signed in');
    }
    else if( current_user_admin_status = 'null' ){
        console.log('you are not an admin');

    } else if ( current_user_admin_status = 'false' ) {
        console.log('you are not an admin');

    } else if (current_user_admin_status = 'undefined'){
        console.log('you are not an admi');

    } else {
        console.log('you are logged in as an admin');
        return Meteor.users.find({}, {fields: {createdAt: 1, admin: 1, emails: 1, username: 1, first_name: 1, last_name: 1}}); 
    }
});

Upvotes: 1

Views: 504

Answers (1)

Jeremy S.
Jeremy S.

Reputation: 4639

There are a couple of important points to note here. First, relating to the question comments, it is not safe to add an admin field to user.profile unless you have added specific allow/deny rules to prevent it from being edited. See the first point in this article. By default the user.profile field is editable by its user and in general you should store sensitive fields such as admin outside it.

Second, the most likely reason you are not receiving user.profile.admin on the client is because you are not publishing it. You should first create a publication for the logged in user to send fields outside of the default fields noted in the comments down to the user.

Lastly, there is an excellent and widely used package for handling authorization, roles, that has already addressed the security concerns above. I recommend using that: https://github.com/alanning/meteor-roles

Upvotes: 2

Related Questions